• No results found

Efficient ID-based Threshold Signature Schemes without Pairings

N/A
N/A
Protected

Academic year: 2020

Share "Efficient ID-based Threshold Signature Schemes without Pairings"

Copied!
18
0
0

Loading.... (view fulltext now)

Full text

(1)

Efficient ID-based Threshold Signature Schemes

without Pairings

Jun Shao, Zhenfu Cao, and Licheng Wang Department of Computer Science and Engineering

Shanghai Jiao Tong University 200030, Shanghai, China P.R.C

chn.junshao@gmail.com, caozf@cs.sjtu.edu.cn, wanglc@sjtu.edu.cn

Abstract. The focus of this paper is to design an efficient and secure so-lution addressing the key escrow problem in ID-based signature schemes, i.e., the Private Key Generator (PKG) knows the user’s private key, which damages the essential requirement–“non-repudiation” property of signature schemes. In this paper, we proposed two ID-based threshold signature schemes, which both reach Girault’s trusted level 3, and in which there exists only one PKG in our ID-based threshold signature schemes. In particular, the second scheme has another good property: it does not require trusting any particular party at any time.

Compared with the previous schemes, our schemes do not need to com-pute pairings, which make them be more efficient than those schemes. Furthermore, our ID-based signature schemes increase the availability of the signing agency and the difficulty for the adversary to learn the private key.

1

Introduction

Certificate-based cryptography allows the user to use an arbitrary string, un-related to his identity, as his public key. When another user wants to use this public key, she must obtain an authorized certificate that contains this public key. This creates the certificate management problem. For reasons of efficiency and convenience, it is desirable to design a signature scheme without certificate management.

To address this problem, Shamir introduced the concept of ID-based pub-lic key cryptography [Sha84], in 1984. In this kind of pubpub-lic key cryptography, the user’s public key is the user’s identity information, e.g., the email address, while the private key is computed from the public key by a Private Key Gen-erator (PKG) who has knowledge of a master secret. As a result, the certificate management problem can be eliminated.

(2)

all users, so he is able to impersonate any user. In particular, in ID-based signa-ture schemes, it removes the essential requirement, “non-repudiation”, of digital signature schemes.

To address this key escrow problem, many researchers [BF03,BZ04a,BZ04b,CZKK04] suggested extending ID-based cryptography to be ID-based threshold cryptog-raphy. Using an ID-based threshold signature scheme, digital signatures can be produced by a group of players rather than by one party. Compared with the regular ID-based signature schemes where the signer is single entity which holds the private key, in ID-based threshold signature schemes the private key is shared by a group ofnplayers. In order to produce a valid signature on a given message m, the number of the participant players must attain the given threshold value, the signature can be created. More precisely, a typical (t, n) ID-based threshold signature scheme follows the three basic properties:

– Anytor more players in the group can cooperate with each other to generate a valid group signature, while they don’t reveal any information about their sub-secret keys or the private key.

– Anyt−1 or fewer players in the group cannot create a valid group signature, even after producing many signatures on different messages.

– Any verifier can verify the group signature with only knowing the group identity and the public key of the PKG. In other words, the signature is pro-duced in an ID-based threshold signature scheme is the same as if propro-duced in a regular ID-based signature scheme. In particular, verification of the signature is dependent of the way the signature generation is implemented. Besides removing the key escrow problem, an (t, n) ID-based threshold sig-nature scheme has another two advantages: (1) increasing the availability of the signing agency, since if onlytplayers perform the scheme honestly, the signature can be generated successfully; (2) increasing the difficulty for the adversary to learn the private key, since only the adversary corruptstor more players, he can learn the private key.

1.1 Previous Work

(3)

not only solves the key escrow problem, but also removes the disadvantages of Boneh and Franklin’s method. To our best knowledge, though there exists a particular party knows the private key in Chen et al.’s scheme, it is considered as the best solution among the existing schemes. In this paper, we get better solutions: more efficient (in terms of computational complexity) and more secure (no particular party knows the private key).

1.2 Our Contribution

We present two ID-based threshold signature schemes which enjoy the following properties.

Provable security: Based on the Schnorr’s signature scheme [Sch91], we first propose a new ID-based signature scheme without bilinear pairings, which is provably secure in the random oracle model and achieves the Girault’s trusted level 3 [Gir91] (i.e., the PKG does not know (or cannot easily compute) the users private keys. Moreover, it can be proved that the PKG generated false public keys of users if it does so.). Based on the proposed ID-based signature scheme, we propose two provably secure ID-based threshold signature schemes.

Efficiency: Since there is no bilinear pairings in our schemes, our schemes are more efficient than the existing schemes. We will give the performance evaluation in Section 7.

Flexible thresholds: The value of threshold is up to the users.

Assumed trust: In our first ID-based threshold signature scheme, the group manager should be trusted, since he knows the private key. While our second ID-based threshold signature scheme does not require trusting any particular party at any time, including during the generation of private key.

Limited power of the PKG: In our both ID-based threshold signature schemes, the only thing the PKG can do is to cooperate with the user to generate the user’s private key. However, the PKG cannot learn the user’s private. If the PKG generates the user’s private key by himself, it can be detected.

1.3 Organization

(4)

2

Model and Definitions

In this section we review the communication model and the definitions of secure ID-based threshold signature scheme.

Communication model. The players in our schemes include a set ofnplayers who are connected by an authenticated broadcast channel. In addition, all players are capable of private point-point communication over secure channels. Finally, we work in a synchronous communication model. These assumptions allow us to focus on high-level descriptions of the protocols. For the details, the reader can refer to [GJKR96][Section 2].

The adversary. Our (t, n) ID-based threshold signature schemes assume a non-adaptive adversary (static adversary) who may corrupt up tot−1 players in advance of protocol execution. The adversary has access to all information available to the corrupted players, including their sub-secrets, messages they receive, and messages broadcast to all players. Furthermore, the adversary can cause player to deviate arbitrarily from the protocol.

ID-based signature scheme. Recall that ID-based signature scheme S is consisted of four random protocols: Setup, Extract,Sign, Verify. The Setup protocol takes as input the security parameterk, and generatesparams(system parameters) and master-key. The Extract protocol takes as input a user’sID and the master key, and returns the user’s private key, denoted bydID. TheSign protocol signs messages using the user’s private key and the Verify protocol verifies signatures using the user’sIDandparams. However, in order to achieve Girault’s trusted level 3, we modify theExtractprotocol slightly in this paper, i.e., add the data chosen by the user to the input.

The notion of security for ID-based signature scheme was formally defined in [CC03]. The following definition captures the notion: existential unforgeability against adaptively chosen identity and message attack.

Definition 2.1. We say that an ID-based signature schemeS(Setup,Extract,

Sign, Verify) is unforgeable if no adversary who is given the public key of the PKG generated by Setup, the private keys of k1 identitiesIDi1,· · ·, IDik1

adaptively chosen, and the signatures ofk2 tuples(IDj1, mj1),· · ·,(IDjk2, mjk2)

adaptively chosen, can produce the signature on a new messagemunder the iden-tityID(i.e.,ID6∈ {IDi1,· · ·, IDik1},(ID, m)6∈ {(IDj1, mj1),· · ·,(IDjk2, mjk2)})

with non-negligible probability.

(5)

Setup. Identical to that in ID-based signature scheme.

Thresh-Extract. According to whether there exists a particular party knowing the private key, this protocol can be categorized aswith orwithout a group manager. In the former one, there are a PKG, a group manager, andn play-ers. Firstly, the group manager gets the private key through an interactive protocol with the PKG. Secondly, the group manager distributes the private key to thenplayers through some verifiable secrete sharing scheme. In the latter one, there are only a PKG andn players. The private key is jointly generated by the PKG and thesenplayers. In both of two, the public key is always the identityID of thesenplayers.

Thresh-Sign. It is the distributed signature protocol. The private input of playerPi is his share of the private key. The public key inputs consist of a messagemand the identityIDof thesenplayers. The output of the protocol is a signature for messagemunder the identity ID.

Verify. Identical to that in ID-based signature scheme.

From the verifier’s viewpoint, ID-based threshold signature scheme is the same as ID-based signature scheme.

Secure ID-based threshold signature scheme. Following the idea in [GJKR96], the definition of security for ID-based threshold signature scheme includes both

unforgeability androbustness.

Definition 2.2. We say that a(t, n)ID-based threshold signature schemeT S=(Setup,

Thresh-Extract, Thresh-Sign, Verify) is unforgeable, if no adversary who corrupts at mostt−1players, and is given the view ofT hresh−Extracton input

k1identitiesIDi1,· · ·, IDik1 adaptively chosen, and ofThresh-Signon inputk2

tuples (IDj1, mj1),· · ·,(IDjk2, mjk2) adaptively chosen, can produce the

signa-ture on a new message munder the identity ID (i.e., ID6∈ {IDi1,· · ·, IDik1},

(ID, m)6∈ {(IDj1, mj1),· · ·,(IDjk2, mjk2)}) with non-negligible probability.

Definition 2.3. An ID-based threshold signature schemeT S=(Setup,Thresh-Extract,

Thresh-Sign,Verify) is(t, n)robust if in a group ofnplayers, even in the pres-ence of an adversary who corrupts at most t−1 players, bothThresh-Extract

andThresh-Sign can complete successfully.

3

The Schnorr’s Signature Scheme.

The Schonrr’s signature scheme [Sch91] is a signature scheme based on the dis-crete logarithm problem, which can be proved secure against the adaptively chosen message attack in the random oracle model. It consists of the following three protocols:Setup,Sign,Verify.

Setup. It takes as input a security parameter 1k and outputs a public key (p, q, g, H(·), y) and a secret key x, where p and q are two large primes, q|p−1, g is a generator of order q in Zp, H(·) is a cryptographic hash function:{0,1}∗Z

(6)

Sign. To sign a messagem, the user does the following performances. (1) choose a randomr∈Z∗

q, (2) computeR =grmodp, and (3) set the signature to be (R, σ), whereσ=r+xH(m||R) modq.

Verify. To verify a signature (R, σ) for message m, the verifier does: check =? RyH(m||R)modp. If it holds, the signature is valid; otherwise, the

signature is invalid.

4

Basic Tools

In this section we recall Feldman’s verifiable secret sharing protocol [Fel87], de-noted here byProtocol VSS, and the secure distributed key generation protocol [GJKR99], denoted here byProtocol DKG.1

We say an issue is acomplaint if the share of a player cannot pass the verified equation, and the player asks the dealer to reveal his share. We say a dealer is

disqualified if more thantplayers broadcast complaints against the dealer. A high-level descriptions of the Protocol VSS and the Protocol DKG are given in Figure 1 and Figure 2, respectively.p,qare two large primes, and they satisfyq|p−1, andg,hare two random generators ofZpof orderq. For details, the reader can refer to [Fel87,GJKR99].

5

New ID-based Signature Scheme

In this section, we propose our ID-based signature scheme without pairings, which is based on the Schnorr’s signature scheme. Follow the definition of ID-based signature schemes, it consists of the following four protocols.

Setup. Given security parameterk1, k2∈Z+, the protocol works as follows:

Step 1: Choose ak1-bit primepand ak2-bit primeq, such thatq|p−1.

Step 2: Choose a generatorgof orderq inZp. Step 3: Choose a randomx∈Z∗

q, and computey=gxmodp.

Step 4: Choose two cryptographic hash functions H1(·) and H2(·), such

thatH1:{0,1}∗→Zq∗,H2:{0,1}∗→Zq∗.

The public key of PKG is (p, q, g, y, H1(·), H2(·)), and the corresponding

master key isx.

Extract. It is an interactive protocol between the user and the PKG.

1. The user first chooses a randomrID∈Zq∗, and computesRID=grID mod p. At last, the user sends (ID, RID) to the PKG.

2. Upon receiving (ID, RID), the PKG does: (1) choose a randomrP KG∈ Z∗

q, (2) compute RP KG = grP KG modp, and (3) set the private key skID←(RP KG, dID), wheredID=rP KG+xH1(ID||RID||RP KG) mod q. At last, the PKG sends the private key to the user.

1 The protocols in this paper are slightly different from the original ones, however,

(7)

Protocol VSS participants:a dealer,nplayersPi(i= 1,· · ·, n).

input:r,R,p,q,g, such thatR=grmodp.

1. The dealer performs as follows.

(a) Chooses a random polynomialf(x) overZqof degreet−1:

f(x) =

t−1 X

i=0 aixi,

such thatf(0) =a0=r.

(b) BroadcastAi=gf(i)modpfori= 0,· · ·, n. Notice thatA0=Rmodp.

(c) Compute the sharesri=f(i) modqfori= 1,· · ·, n and sendsri to player Piby a secret channel.

2. Upon receivingrifrom the dealer, each playerPidoes the following performances.

(a) Choose randomlyt Akj’s fromAk(k= 0,· · ·, i−1, i+ 1,· · ·, n).

(b) Check

gri =? A

i=? t−1 Y

j=0 ki,kj

j modp, (1)

whereλi,kj’s are the Lagrange interpolation coefficients. If it does not hold, playerPibroadcasts acomplaint against the dealer.

If more thantplayers complain then the dealer is clearly bad and he is disqualified. Otherwise, the dealer distributes the value oframong thesenplayers.

(8)

Protocol DKG participants:nplayersPi(i= 1,· · ·, n).

input:p,q,g,h.

1. Each playerPidoes the following performances.

(a) Choose two random numberriandr0ioverZq.

(b) Choose two random polynomialsfi(x),fi0(x) overZqof degreet−1:

fi(x) = t−1 X

j=0

aijxj, fi0(x) = t−1 X

j=0 bijxj,

such thatfi(0) =ai0=ri,fi0(0) =bi0.

(c) BroadcastAij=gaijhbij modpforj= 0,· · ·, t−1.

(d) Compute the sharesxij=fijmodpandx0ij=fij0 modpforj= 0,· · ·, t−1,

and sendxij, x0ij to playerPj.

(e) On receivingxji, x0jifrom playerPj, playerPichecks

gxjihx0ji=?

t−1 Y

k=0

(Ajk)i

k modp.

If it does not hold, playerPibroadcasts acomplaintagainst playerPj.

(f) Build the set of non-disqualified playersQUAL.

(g) If playerPiis inQUAL, he broadcastsBij=gfi(j)modpforj= 0,· · ·, n.

(h) For eachj∈QUAL,Pifirst choosest Bjkl’s (kl6=i, andl= 0, . . . , t−1), and

then checks

gxji=? B

ji ?

=

t−1 Y

l=0

(Bjkl)

λi,klmodp, (2)

and

Bj0 ?

=

t−1 Y

l=0

(Bjkl)

λ0,kl modp, (3)

whereλi,kl’s are the Lagrange interpolation coefficients. If one of them does not hold, playerPibroadcasts a complaintagainst playerPj.

(i) Rebuild the set of non-disqualified playersQUAL.

2. The distributed secret value x is not explicitly computed by any party, but it equals x = PiQUALrimodq. Each player Pi sets his share of the secret as xi =

P

j∈QUALxjimodq. The corresponding public key of this group is y = Q

i∈QUALBi0modp.

(9)

3. Upon receiving the private key, the user checks gdID =? R

P KGyH1(ID||RID||RP KG)modp. (4) If it does not hold, the user broadcasts acomplaint against the PKG. 4. The private key of the user isskID=rID+dIDmodq, such that

gskID=R

IDRP KGyH1(ID||RID||RP KG)modp (5) Sign. To sign a message m under the public key ID, the protocol does: (1)

choose a randomr∈Z∗

q, (2) computeR=grmodpandβ=H2(ID||RID||RP KG||R||m),

and (3) set the signature to be (RID, RP KG, R, σ), where σ= r+ (rID+ dID)βmodq.

Verify. To verify a signature (RID, RP KG, R, σ) for message m, the protocol does: check =? R(R

IDRP KGyH1(ID||RID||RP KG))βmodp.

5.1 Security Analysis of Our ID-based Signature Scheme

To prove the security of our ID-based signature scheme, we make use of the tech-niques in [PS00], especially the Forking Lemma, which is described as follows. For details, the reader can refer to [PS00].

Lemma 5.1 (The Forking Lemma ([PS00], Theorem 13)). Let A be a probabilistic polynomial time Turing machine whose input only consists of public data. AndAcan ask to the signer withqsqueries, and can ask to the random

or-acle withqhqueries. Suppose that,Acan produce a valid signature(m, σ1, h, σ2), with probability²≥10(qs+ 1)(qs+qh)/2k, in timeT. If the triple(σ1, h, σ2)can be simulated without knowing the private key, with an indistinguishable distribu-tion probability, then there is an another machine which has control overAand produces two valid signatures(m, σ1, h, σ2) and(m, σ1, h0, σ

0

2)such that h6=h0, within time T0 120686q

hT /².

Theorem 5.1. The proposed ID-based signature scheme achieves Girault’s trusted level 3.

Proof. We suppose the PKG wants to impersonate an honest user whose identity information isID. He can do the following performances:

1. choose a randomr0

ID∈Zq∗ and computeR0ID=gr

0

ID modp.

2. Perform theExtract protocol andSignprotocol of the proposed ID-based signature scheme for the messagem.

3. Output (R0

ID, RP KG, R0, σ0)

(10)

dID = rP KG +xH1(ID||RID||RP KG) modq: the arbiter randomly chooses a message m0 and sends it to the user; the user then perform the Schnorr’s sig-nature scheme (i.e., the secret singing key isdID, and the corresponding public key isRP KGyH1(ID||RID||RP KG)). If the result signature can be pass theVerify protocol of the Schnorr’s signature scheme, the arbiter deduces that the PKG is dishonest because the valuedID is computed by the PKG only (the used sig-nature is the Schnoor’s sigsig-nature scheme, the secret signing key is the PKG’s master key, the corresponding public key is the PKG’s public key, and the mes-sage is (ID||RID).).

As a result, our ID-based signature scheme achieves Girault’s trusted level

3. ut

Theorem 5.2. In the random oracle model, our ID-based signature scheme is existentially unforgeable against adaptively chosen message and ID attack un-der the assumption that the Schnorr’s signature scheme is secure against the adaptively chosen message attack in the random oracle model.

Proof. From the simulations of hash1 oracle (see Fig. 3), Extract oracle (see

Fig. 4), hash2 oracle (see Fig. 5), and Sign oracle (see Fig. 6), we can see

that the view of these simulations is indistinguishable from a view of an actual random execution of the proposed signature scheme. In other words, the signer can be simulated without knowing the master keyx, with an indistinguishable distribution.

Note that, in our scheme, since r is randomly chosen from Z∗

q, hence R is a random number. Furthermore, β is the hash value of ID||RID||RP KG||R||m, and for the same (ID, RID, RP KG), σonly depends onID||RID||RP KG||R||m, andβ.

Now, we can apply the Forking Lemma, and get two valid signatures (m, ID, RID, RP KG, R, σ) withβ and (m, ID, RID, RP KG, R, σ0) withβ. Then we have

(R

IDRP KGyH1(ID||RID||RP KG))−β=

0

(RIDRP KGyH1(ID||RID||RP KG))−β

0

gσ−σ0

= (RIDRP KGyH1(ID||RID||RP KG))β−β

0

gσ−σ

0

β−β0 =R

IDRP KGyH1(ID||RID||RP KG)

That is, the user’s private key is σ−σ0

β−β0. As a result, we get a valid forgery

on message m(= ID) for the Schnorr’s signature scheme, in which the secret signing key and the public key are the master key and the public key of the PKG, respectively. The valid forgery is (RIDRP KG,σ−σ

0

β−β0). Though there is a

slight difference between this forgery and the regular signature of the Schnorr’s signature scheme (H1(m||RID||RP KG) VS. H1(m||RIDRP KG)), it can be con-sidered as a difference on the construction of hash function which is the same in the random oracle model.

(11)

— For ahash1-queryH1(IDi, R1, R2), such that a record (IDi, R1, R2, α, β) appears

in listH1, the answer isβ. Otherwise the answerβis defined according to the following

rule:

1. Choose a random elementβ∈Z∗ q.

The record (IDi, R1, R2,⊥, β) is added toH1.

Fig. 3.Simulation ofhash1 oracle

— For an Extract-query with (IDi, RID), such that a record (IDi, RID, R2, α, β)

appears in list H1, the answer is (R2, α)a. Otherwise the answer (R2, α) is defined

according to the following rules:

1. Choose two random elementsα, β∈Z∗ q,

2. ComputeR2, such that=R2yβ modp.

The record (IDi, RID, R2, α, β) is added toH1.

a There is a situation thatαis, however, such a situation is very rare.

Fig. 4.Simulation ofExtractoracle

— For a hash2-query with (IDi, R1, R2, R3, m), such that a record

(IDi, R1, R2, R3, m, α, β) appears in list H2, the answer is β. Otherwise the

answerβis defined according to the following rule: 1. Choose a random elementβ∈Z∗

q.

The record (IDi, R1, R2, R3, m,⊥, β) is added toH2.

Fig. 5.Simulation ofhash2 oracle

— For a Sign-query with (m, ID), we produce the answer (RID, RP KG, σ) is

com-puted as following rules:

Step 1 Choose a random numberrIDand computeRID=grIDmodp.

Step 2 Issue theExtract-query with (IDi, RID) ourself, and get (R2, α).

Step 3 Computeσby using (rID, α) in theSignprotocol.

(12)

6

ID-based threshold Signature Scheme

In this section, we extend our ID-based signature scheme to two ID-based thresh-old signature scheme: Scheme 1 and Scheme 2. Furthermore, we give their secu-rity proof in this section.

6.1 Scheme 1

In this subsection, we propose our first ID-based threshold signature scheme, in which there exist a PKG, a group manager and n players, where the group manager knows the private key of this group, and distributes the shares of the private key tonplayers.

Setup. Identical to that in our ID-based signature scheme. Thre-Extract. It is an interactive protocol.

1. The group manager first chooses a random rID Zq∗, and computes RID=grID modp. At last, the user sends (ID, RID) to the PKG. 2. Upon receiving (ID, RID), the PKG does:(1) choose a randomrP KG

Z∗

q, (2) compute RP KG = grP KG modp, and (3) set the private key skID←(RP KG, dID), wheredID=rP KG+xH1(ID||RID||RP KG) mod q. At last, the PKG sends the private key to the group manager. 3. Upon receiving the private key, the group manager checks

gdID =? R

P KGyH1(ID||RID||RP KG)modp.

If it does hold, the user broadcasts acomplaint against the PKG. 4. The group manager andnplayers perform theProtocol VSS, the group

manager is the dealer, and (rID+dID, RIDRP KGyH1(ID||RID||RP KG), p, q, g) is the input of theProtocol VSS.

5. As a result,rID+dIDis shared amongnplayers. Letxi be the share of Pi, andf(x) =rID+dID+

Pt−1

i=1aiximodqbe the used secret-sharing polynomial,Ai=gf(i)modp, (i= 0,· · ·, n).

Thre-Sign. LetΦbe a subset of thenon-disqualifiedplayers, andλΦ i =

Q

k∈Φ,k6=i 0i−−kk, where|Φ| ≥t. To sign a messagem, player Pi in Φdoes the following per-formances.

1. Choose a randomrPi.

2. Compute and broadcastRPi =g

rPimodp. 3. ComputeRp=

Q

i∈ΦR λΦ

i

Pi modp.

4. Compute and broadcastσPi =rPi+xiH2(RID||RP KG||Rp||m) modq. 5. Check

gσPi =? RP i(Ai)

H2(RID||RP KG||Rp||m)modp. (6)

If it does not hold, playerPibroadcasts acomplaint against playerPj. If all the players inΦare honest, the signature is (RID, RP KG, Rp, σ), where σ=PiΦλΦ

iσPimodq.

(13)

6.2 Analysis of Scheme 1

Unforgeability. Following the tradition of the security proof for threshold sig-nature schemes, we use the concept ofsimulatable adversary view [GJKR96] to prove unforgeability. The security of a simulatable ID-based threshold signature scheme equals to the security of its underlying ID-based threshold signature scheme.

Definition 6.1. An ID-based threshold signature schemeT S=(Setup,Thresh-Extract,

Thresh-Sign,Verify) is simulatable if the following properties hold:

1. The protocolThresh-Extractis simulatable. That is, there exists a simula-torSIM1 that, on input the public input , the public output, and the shares oft−1 corrupted players of an execution of Thresh-Extract, can simulate the view of the adversary on that execution.

2. The protocolThresh-Sign is simulatable. That is , there exists a simulator

SIM2 that, the public input, the public output, and the shares of t−1 cor-rupted players of an execution ofThresh-Sign, can simulate the view of the adversary on that execution.

Lemma 6.1. The scheme 1 is simulatable.

Proof. A high-level descriptions of the simulators ofThresh-ExtractandThresh-Sign are given in Fig. 7 and Fig. 8, respectively.

For a polynomialf(x) of degree t−1, f(i) can be computed from other t or moref(j)’s (we denote this set as Φ), by using f(i) =PjΦλΦ

i,jf(j), where λΦ

i,j’s are the Lagrange interpolation coefficients (i.e.,λΦi,j=

Q

k∈Φ,k6=j ji−−kk). On the other hand, if we know t or more gf(j)modp’s, we can compute gf(i) by

usinggf(i)=Q

j∈Φ(gf(j))λ Φ

i,j modp.

Following these above methods, we construct our simulators. In these two simulators, we assume w.l.o.g. that the adversary corrupted the firstt−1 play-ers P1,· · ·, Pt−1. From the viewpoint of the adversary, the output of these two

simulators is indistinguishable from the real execution of Thresh-Extractand

Thresh-Sign. Then we finish this proof. ut

Combining Theorem 5.2 and Lemma 6.1, we have the following theorem. Theorem 6.1. Our scheme 1 is unforgeable, if the Schnorr’s signature scheme is unforgeable.

Robustness. The following theorem can be easily proven by inspection of the scheme 1.

(14)

SIM1 for scheme 1

input:y,RID,RP KG,ID,t−1 sharesxi’s of the corrupted player

1. TheSIM1 computes

Ai= (RIDRP KGyH1(ID||RID||RP KG))λi,0 t−1 Y

j=1

(gxj)λi,j modp,

fori=t,· · ·, n. Notice that thet−1 corrupted players can pass the Equation 1. 2. Follow the Step 2 of Protocol VSS.

Fig. 7.Simulator forThresh-Extractof scheme 1.

SIM2 for scheme 1

input:y,RID,RP KG,ID,t−1 sharesxi’s of the corrupted player

1. After the t−1 corrupted players broadcast RPi(i = 1,· · ·, t−1), the SIM2 computes and broadcasts

RPi =R

λi,0

p t−1 Y

j=1 Rλi,j

Pj modp,

fori=t,· · ·, n.

2. TheSIM2 setf(x) as a polynomial of degreet−1, such thatf(0) =σ,f(i) =

σi(i= 1,· · ·, t−1). And thenSIM2 computesσi=f(i) modq fori=t,· · ·, n.

Notice thatσican pass the Equation 6.

(15)

6.3 Scheme 2

In this subsection, we propose our second ID-based threshold signature scheme. In this scheme, there still exist a PKG, andnplayers. However, there is no one knows the private key of thesenplayers.

Setup. Identical to that in our ID-based signature scheme. Thre-Extract. It is an interactive protocol.

1. Thenplayers perform theProtocol DKG. (p, q, g, h) is the input of the Protocol DKG, where h is a random number inZp, and no one knows the discrete logarithm ofh.2 Let the final shares of playerP

ibe (xi, x0i), and f1(x) =

Pt−1

i=0aiximodq and f2(x) = Pt−1

i=0biximodq are the final secret-sharing polynomials, such that f1(i) = xi and f2(i) = x0i, Ai=gf1(i)modp, (i= 0,· · ·, n). At last, setRID=A0.

2. Upon receiving the tuple (ID, RID), the PKG does: (a) Choose a randomrP KG ∈Zq∗.

(b) Compute and broadcastRP KG=grP KGmodp.

(c) Set the private key skID (RP KG, dID), where dID = rP KG+ xH1(ID||RID||RP KG) modq.

(d) The PKG andnplayers performProtocol VSS. The input ofProtocol VSSis (p, q, g, dID, RP KGyH1(ID||RID||RP KG)). As a result, the PKG distributes dID amongn players. LetdPi be the share of playerPi, f3(x) = dID +

Pt−1

i=1cixi modq be the secret-sharing polynomial, such that f3(i) = dPi, Bi = g

f3(i)modp(i = 0,· · ·, n). At last, set

RP KG=B0.

Thre-Sign. LetΦbe a subset of thenon-disqualifiedplayers, andλΦ i =

Q

k∈Φ,k6=i 0i−−kk, where|Φ| ≥t. To sign a messagem, player Pi in Φdoes the following per-formances.

1. Choose a randomrPi.

2. Compute and broadcastRPi =grPimodp. 3. ComputeRp=

Q

i∈ΦR λΦ

i

Pi modp.

4. Compute and broadcastσPi =rPi+ (xi+dPi)H2(RID||RP KG||Rp||m). 5. Check

Pi =? R

Pi(Aj·Bj)

H2(RID||RP KG||Rp||m)modp. (7)

If it does not hold, playerPibroadcasts acomplaint against playerPj. If all the players inΦare honest, the signature is (RID, RP KG, Rp, σ), where σ=PiΦλΦ

iσPimodq.

Verify. Identical to that in our ID-based signature scheme.

6.4 Analysis of Scheme 2

Unforgeability. Like the security proof of scheme 1, we also use the simulator to prove scheme 2 is unforgeable.

(16)

Lemma 6.2. Scheme 2 is simulatable.

Proof. Due to the simulator for Thresh-Sign of scheme 2 is the same as that in scheme 1, we only give the simulator of Thresh-Extract (see Fig. 9). As mentioned in the proof of Lemma 6.1, the output of the simulator is indistin-guishable from that in the real execution of Thresh-Signof scheme 2, from the adversary’s viewpoint.

As a result, we finish the proof of this lemma. ut

SIM1 for scheme 2

input:y,RID,RP KG,ID,t−1 shares (xi, dPi)’s of the corrupted players.

1. TheSIM1 runs Steps 1(a), 1(b), 1(c), 1(e), 1(f) ofProtocol DKGon the behalf of the uncorrupted players. Letfi(x) =

Pt−1 j=0aijx

j(i= 1,· · ·, n) be the

secret-sharing polynomial dealt by player Pi. Denote by xi the final share of player Pi.

2. The SIM1 computes Bij =gfi(j)modpfori= 1,· · ·, n and j = 1,· · ·, n. For

player Pn doe the following: Set Bn0 = RID· Qn−1

i=1(Bi0)

1 modp. Compute Bni =Bλni,00

Qt1 i=j(g

xj)λi,jmodp, where λi,j’s are known coefficients. For each playerPi, (i=t,· · ·, n) broadcastsBij forj= 1,· · ·, n.

3. TheSIM1 runs Steps 1(h), 1(i), 2 ofProtocol DKG.

4. The SIM1 runs theSIM1 for scheme 1 on the input: (y, RID, RP KG, ID, t−

1 sharesdPi’s of the corrupted players).

Fig. 9.Simulator forThresh-Extractof scheme 2.

Combining Theorem 5.2 and Lemma 6.2, we have the following theorem. Theorem 6.3. Our scheme 2 is unforgeable, if the Schnorr’s signature scheme is unforgeable.

Robustness. The following theorem can be easily proven by inspection of the scheme 2.

Theorem 6.4. Scheme 2 is (t, n) robust, if onlyn≥2t1.

7

Performance Evaluation

In this section, in terms of computational complexity, we show that the efficiency of our ID-based threshold signature schemes is high. The performance evaluation notations are defined as follows:

Texp time for a modular exponetiation computation Tmul time for a multiplication computation

(17)

Like Chenet al.’s scheme, our scheme 1 also has a group manager, while our scheme 2 does not require such a group manager. Furthermore, Chen et al.’s scheme is considered as the best scheme among the existing schemes. Hence, we only give the comparison between Chenet al.’s scheme and our scheme 1, which is shown in Table 1.

From Table 1, our scheme 1 are more efficient than Chen et al.’s scheme, especially inThresh-Sign.

Table 1.The comparison of computational complexitya

Chenet al.’s scheme Our scheme 1

Setup the group manager 1Texp 1Texp

the PKG 1Texp 1Texp+ 1Tmul

Thresh-Extract the group manager nTexp+nTe nTexp

Thresh-Sign Generating a partial signature (2 + 3t)Texp+ (3t−2)Tmul+ 4Te(t+ 1)Texp+tTmul

Combining partial signatures 2tTexp+ 2(t−1)Tmul tTexp+ (t−1)Tmul

Verify 2Texp+ 2Tmul+ 6Te 3Texp+ 3Tmul a We omit the computational complexity of the data’s verification.

8

Conclusion

In this paper, we propose a new ID-based signature scheme without pairings, in which there is on trusted PKG. And then we extend it to be two ID-based threshold signature schemes. In both of these two schemes, there is only one PKG who is not assumed to be trusted. Furthermore, the second scheme does not require trusting any particular party at any time. Our schemes are more efficient than the existing schemes in terms of computation complexity.

References

[BF01] D. Boneh, M. Franklin. Identity-Based Encryption from the Weil Pairing. In Crypto ’01, LNCS 2139, Springer-Verlag, pp. 231-229, 2001.

[BF03] D. Boneh, M. Franklin. Identity-Based Encryption from the Weil Pairing. SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003.

[BZ04a] J. Baek and Y. Zheng. Identity-Based Threshold Decryption. In PKC 2004, LNCS 2947, Springer-Verlag, pp. 262-276, 2004.

[BZ04b] J. Baek and Y. Zheng. Identity-Based Threshold Signature Scheme from the Bilinear Pairings. InProceeding of the international Conference on Information and Technology: Coding and Computing (ITCC’04), pp. 124-128, 2004. [CC03] J. Cha and J. H. Cheon. An Identity-Based Signature from Gap Diffie-Hellman

Groups.In PKC ’03, LNCS 2567, pp. 18-30, Springer-Verlag, 2003.

(18)

[CZKK04] X. Chen, F. Zhang, D. M. Konidala, and K. Kim. New ID-Based Threshold Signature Scheme from Bilinear Pairings. InINDOCRYPT 2004, LNCS 3348, Springer-Verlag, pp. 371-383, 2004.

[Fel87] P. Feldman. A practical Scheme for Non-interactive Verifiable Secret Sharing. InProc. 28th FOCS, pp. 427-437, 1987.

[Gir91] M. Girault. Self-certified public kyes. In EUROCRYPT 1991, LNCS 547, pp. 490-497, 1991.

[GJKR96] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Robust Threshold DSS Signatures. InEUROCRYPT 1996, pp. 354-371, 1996.

[GJKR99] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. The (in) security of dis-tributed key generation in dlog-based cryptosystems. InEUROCRYPT 1999, LNCS 1592, pp. 295-310, 1999.

[Hes02] F. Hess. Efficient Identity Based Signature Schemes Based on Pairings.In SAC ’02, LNCS 2595, pp. 310-324, Springer-Verlag, 2003.

[Pat02] K. G. Paterson. ID-based signatures from pairings on elliptic curves. Avaiable from http://eprint.iacr.org/2002/004.

[Ped91] T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. InCrypt ’91, LNCS 576, pp. 129-140, 1991.

[PS00] D. Pointcheval and J. Stern. Security Arguments for Digital Signatures and Blind Signatures.Journal of Cryptology, (2000) 13, pp. 361-396, 2000. [Sch91] C. P. Schnorr, “Efficient signature generation by smart cards,” Journal of

Cryptology, Vol. 4, No. 3, pp. 161-174, 1991.

[Sha84] A. Shamir. Identity-based cryptosystems and signature schemes. In Crypto ’84, LNCS 196, Springer-Verlag, pp. 47-53, 1984.

References

Related documents

Self-organizing map (SOM) is one of the branches from ANN that do not require the desired output for the input vectors. Optimum results will be archieved if

When a child restraint is installed in the passenger seat, be sure to turn the seat- back tilt cancel switch to the CANCEL position1. Otherwise, the child restraint may

This dissertation regards chlorophylls and bacteriochlorophylls as ultimate synthetic target and concerns three topics: (1) a new Northern-Southern route towards

(KEY WORDS: Ceriodaphnia dubia, whole effluent toxicity, wastewater effluent toxicity testing, wastewater effluent chronic toxicity, toxicity reduction evaluation, cladoceran

RBAC governs the access request based on the function of each user as a part of the organization, whereas DAC governs the access request based on the

Most researches determine the appropriate sub-band frequency level of discrete wavelet transform that should be selected to maximize the embedding capacity of

The computed equivalent plastic strain as function of temperature together with the critical strain for ductility dip cracking (Alloy 52 curve in Figure 8).. Results are presented

Ground penetrating radar (GPR) usage in detecting subsurface non-metal objects is investigated as there are many factors which can affect the strength of GPR signals such